.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "MOD_APPARMOR 8" .TH MOD_APPARMOR 8 "2021-04-03" "AppArmor 2.13.6" "AppArmor" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" mod_apparmor \- fine\-grained AppArmor confinement for Apache .SH "DESCRIPTION" .IX Header "DESCRIPTION" An AppArmor profile applies to an executable program; if a portion of the program needs different access permissions than other portions, the program can \*(L"change hats\*(R" via \fBaa_change_hat\fR\|(2) to a different role, also known as a subprofile. The mod_apparmor Apache module uses the \&\fBaa_change_hat\fR\|(2) mechanism to offer more fine-grained confinement of dynamic elements within Apache such as individual php and perl scripts, while still allowing the performance benefits of using mod_php and mod_perl. .PP To use mod_apparmor with Apache, ensure that mod_apparmor is configured to be loaded into Apache, either via a2enmod, yast or manual editing of the \&\fBapache2\fR\|(8)/\fBhttpd\fR\|(8) configuration files, and restart Apache. Make sure that apparmor is also functioning. .PP Once mod_apparmor is loaded within Apache, all requests to Apache will cause mod_apparmor to attempt to change into a hat that matches the ServerName for the server/vhost. If no such hat is found, it will first fall back by attempting to change into a hat composed of the ServerName-URI (e.g. \*(L"www.example.com\-/app/some.cgi\*(R"). If that hat is not found, it will fall back to attempting to use the hat named by the \s-1URI\s0 (e.g. \*(L"/app/some.cgi\*(R"). If that hat is not found, it will fall back to attempting to use the hat \s-1DEFAULT_URI\s0; if that also does not exist, it will fall back to using the global Apache profile. Most static web pages can simply make use of the \s-1DEFAULT_URI\s0 hat. .PP Additionally, before any requests come in to Apache, mod_apparmor will attempt to change hat into the \s-1HANDLING_UNTRUSTED_INPUT\s0 hat. mod_apparmor will attempt to use this hat while Apache is doing the initial parsing of a given http request, before its given to a specific handler (like mod_php) for processing. .PP Because defining hats for every \s-1URI/URL\s0 often becomes tedious, mod_apparmor provides the AAHatName and AADefaultHatName Apache configuration options. .IP "\fBAAHatName\fR" 4 .IX Item "AAHatName" AAHatName allows you to specify a hat to be used for a given Apache , , or directive (see the Apache documentation for more details). Note that mod_apparmor behavior can become confused if and directives are intermingled and it is recommended to use one type of directive. If the hat specified by AAHatName does not exist in the Apache profile, then it falls back to the behavior described above. .IP "\fBAADefaultHatName\fR" 4 .IX Item "AADefaultHatName" AADefaultHatName allows you to specify a default hat to be used for virtual hosts and other Apache server directives, so that you can have different defaults for different virtual hosts. This can be overridden by the AAHatName directive and is checked for only if there isn't a matching AAHatName. The default value of AADefaultHatName is the ServerName for the server/vhost configuration. If the AADefaultHatName hat does not exist, then it falls back to the behavior described above. .SH "URI REQUEST SUMMARY" .IX Header "URI REQUEST SUMMARY" When profiling with mod_apparmor, it is helpful to keep the following order of operations in mind: .PP On each \s-1URI\s0 request, mod_apparmor will first \fBaa_change_hat\fR\|(2) into ^HANDLING_UNTRUSTED_INPUT, if it exists. .PP Then, after performing the initial parsing of the request, mod_apparmor will: .IP "1." 4 try to \fBaa_change_hat\fR\|(2) into a matching AAHatName hat if it exists and applies, otherwise it will .IP "2." 4 try to \fBaa_change_hat\fR\|(2) into an AADefaultHatName hat, either the ServerName (the default) or the configuration value specified by the AADefaultHatName directive, for the server/vhost, otherwise it will .IP "3." 4 try to \fBaa_change_hat\fR\|(2) into the ServerName-URI, otherwise it will .IP "4." 4 try to \fBaa_change_hat\fR\|(2) into the \s-1URI\s0 itself, otherwise it will .IP "5." 4 try to \fBaa_change_hat\fR\|(2) into the \s-1DEFAULT_URI\s0 hat, if it exists, otherwise it will .IP "6." 4 fall back to the global Apache policy .SH "BUGS" .IX Header "BUGS" \&\fBmod_apparmor()\fR currently only supports apache2, and has only been tested with the prefork \s-1MPM\s0 configuration \*(-- threaded configurations of Apache may not work correctly. For Apache 2.4 users, you should enable the mpm_prefork module. .PP There are likely other bugs lurking about; if you find any, please report them at . .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBapparmor\fR\|(7), \fBapparmor_parser\fR\|(8), \fBaa_change_hat\fR\|(2) and .